Welcome to the Application Security Community of Practice. Our mission is to openly share resources and expertise in the domain of application security in order to enhance the overall knowledge and capabilities of the community.

In this second demo video I basically show a brief overview of the Rational Security Community of Practices Group and why it is beneficial to join it. Its a really neat group and if you are into security you should definitely check it out and join.

Last week I made a few demos for the Rational Security Community of Practices Group. This first one explains how to create a my DW profile and add a group to enable you to further connect with people and experts that share similar interests.

My first entry here, so I thought I would keep things short and simple ...

I frequently get asked what reference materials I suggest to learn more about application security. The answer to almost everything is of course, "It depends." In fact, it depends upon the role of the person asking. It depends on whether they want an executive overview or a granular examination of the vulnerabilities, attacks and mitigation. It depends upon whether they hope to use the material as a guide or as a reference. Below are some of the materials that stand out in my collection. (I give references to Amazon where applicable only because of their popularity - not as an official endorsement.)

If you are involved in Enterprise Application Security implementation, I strongly suggest hat final reference to the IBM Secure Engineering Framework (SEF). It outlines the best practices that we both internally deploy and externally suggest based on a decades of software design, development and delivery. Rather than making the assumption that all software development is green field work, it recognizes that most of our software and application projects are built from legacy systems that are not easily re-factored.

For my security concentration last semester I took an interesting course on the principles of Cryptography. My proffesor, Dr. Shouhuai Xu is a huge crypto enthusiast and has published many articles and papers on his experiments that I have found very interesting. This particular paper discusses memory disclosure attacks and how easy it is to aquire private keys from allocated as well as unallocated space in memory. Cryptography is based on the assumption that the key should be kept secret and in this paper he explains how the "secret" keys of OpenSSH and Apache servers are easily compromised through data recovery in memory. Really cool stuff, a worthy read.

Abstract :

Cryptography has become an indispensable mechanism for securing systems, communications and applications. While offering strong protection, cryptography makes the assumption that cryptographic keys are kept absolutely secret. In general this assumption is very difficult to guarantee in real life because computers may be compromised relatively easily. In this paper we investigate a class of attacks, which exploit memory disclosure vulnerabilities to expose cryptographic keys. We demonstrate that the threat is real by formulating an attack that exposed the private key of an OpenSSH server within 1 minute, and exposed the private key of an Apache HTTP server within 5 minutes. We propose a set of techniques to address such attacks. Experimental results show that our techniques are efficient (i.e., imposing noperformance penalty) and effective — unless a large portion of allocated memory is disclosed.

Insecure characters are the ones which can be used for introducing Cross site
scripting, SQL Injection etc vulnerabilities.

The characters which are listed as insecure characters by AppScan, HP WebInspect or any similar tool, it is important to find the balance between the list of insecure characters that your application should allow as acceptable characters at the same time to make sure these vulnerabilities are not introduced.

Web application security issues continue to be a top priority.
The only real solution is to build security into Web applications from
the start. Secure coding practices and developer security tools help to
preempt these issues through early discovery. IBM® Rational® AppScan®
Source Edition integrates Web application security testing
into
development, and Web-based education tools help non-security
experts find,
understand, and fix security issues. This workshop show you
how to use the IBM Rational AppScan family in various stages of the
development lifecycle to achieve these goals.Here is the URL for this bookmark: http://www.ibm.com/developerworks/offers/techbriefings/details/hacking2.html?S_TACT=107A727W&S_CMP=TCHBRF#download